From d5f2dc6a5ca30590b121622af8f918d4484d4946 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Tue, 22 Jan 2019 16:02:41 -0500
Subject: [release-branch.go1.10-security] crypto/elliptic: reduce subtraction
 term to prevent long busy loop

If beta8 is unusually large, the addition loop might take a very long
time to bring x3-beta8 back positive.

This would lead to a DoS vulnerability in the implementation of the
P-521 and P-384 elliptic curves that may let an attacker craft inputs
to ScalarMult that consume excessive amounts of CPU.

This fixes CVE-2019-6486.

Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a
Reviewed-on: https://team-review.git.corp.google.com/c/399777
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
(cherry picked from commit 746d6abe2dfb9ce7609f8e1e1a8dcb7e221f423e)
Reviewed-on: https://team-review.git.corp.google.com/c/401143
Reviewed-by: Filippo Valsorda <valsorda@google.com>
---
 src/crypto/elliptic/elliptic.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
index 35aacf24e5..76b78a790e 100644
--- a/src/crypto/elliptic/elliptic.go
+++ b/src/crypto/elliptic/elliptic.go
@@ -210,8 +210,9 @@ func (curve *CurveParams) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int,
 
 	x3 := new(big.Int).Mul(alpha, alpha)
 	beta8 := new(big.Int).Lsh(beta, 3)
+	beta8.Mod(beta8, curve.P)
 	x3.Sub(x3, beta8)
-	for x3.Sign() == -1 {
+	if x3.Sign() == -1 {
 		x3.Add(x3, curve.P)
 	}
 	x3.Mod(x3, curve.P)
-- 
cgit v1.2.3-54-g00ecf


From d4cad3c4b15a6364d8d98424ee264559f3dd5bdb Mon Sep 17 00:00:00 2001
From: Julie Qiu <julie@golang.org>
Date: Wed, 23 Jan 2019 12:39:16 -0500
Subject: [release-branch.go1.10-security] doc: document Go 1.10.8

Change-Id: I97ce42e1e9a6d10bf1eeccc2763e043d8ebe5bab
Reviewed-on: https://team-review.git.corp.google.com/c/400906
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit efe766c7c0918da96aa21e1ac03a9d3fa57ca156)
Reviewed-on: https://team-review.git.corp.google.com/c/400907
---
 doc/devel/release.html | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/devel/release.html b/doc/devel/release.html
index 9f4500ac79..89991f48c1 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -87,6 +87,13 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.7+labe
 Go 1.10.7 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.10.8 (released 2019/01/23) includes a security fix to the
+<code>crypto/elliptic</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.8+label%3ACherryPickApproved">Go
+1.10.8 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.9">go1.9 (released 2017/08/24)</h2>
 
 <p>
-- 
cgit v1.2.3-54-g00ecf


From ed3af1d472dad80cf070848917b80276ecb6a652 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Fri, 11 Jan 2019 14:26:24 -0800
Subject: [release-branch.go1.10-security] net: pass if at least one matching
 entry in TestLookupGmailTXT

Fixes #29698

Change-Id: I0531c0a274b120af8871aa2f5975744ff6c912a3
Reviewed-on: https://go-review.googlesource.com/c/157638
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://team-review.git.corp.google.com/c/401204
Reviewed-by: Filippo Valsorda <valsorda@google.com>
---
 src/net/lookup_test.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/net/lookup_test.go b/src/net/lookup_test.go
index 24787ccf2b..01901e6217 100644
--- a/src/net/lookup_test.go
+++ b/src/net/lookup_test.go
@@ -184,11 +184,16 @@ func TestLookupGmailTXT(t *testing.T) {
 		if len(txts) == 0 {
 			t.Error("got no record")
 		}
+		found := false
 		for _, txt := range txts {
-			if !strings.Contains(txt, tt.txt) || (!strings.HasSuffix(txt, tt.host) && !strings.HasSuffix(txt, tt.host+".")) {
-				t.Errorf("got %s; want a record containing %s, %s", txt, tt.txt, tt.host)
+			if strings.Contains(txt, tt.txt) && (strings.HasSuffix(txt, tt.host) || strings.HasSuffix(txt, tt.host+".")) {
+				found = true
+				break
 			}
 		}
+		if !found {
+			t.Errorf("got %v; want a record containing %s, %s", txts, tt.txt, tt.host)
+		}
 	}
 }
 
-- 
cgit v1.2.3-54-g00ecf


From b0cb374daf646454998bac7b393f3236a2ab6aca Mon Sep 17 00:00:00 2001
From: Julie Qiu <julie@golang.org>
Date: Wed, 23 Jan 2019 14:08:07 -0500
Subject: [release-branch.go1.10-security] go1.10.8

Change-Id: Ie18399a328452f61b232a6929ecf53cb79306773
Reviewed-on: https://team-review.git.corp.google.com/c/400910
Reviewed-by: Filippo Valsorda <valsorda@google.com>
---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 0e23a5c14f..385b67f2f8 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-go1.10.7
\ No newline at end of file
+go1.10.8
\ No newline at end of file
-- 
cgit v1.2.3-54-g00ecf